Skip to content
Find file Blame History Permalink
  • dmazzoni@google.com's avatar
    Use-after-free in AXObjectCache::notificationPostTimerFired · b6555711
    dmazzoni@google.com authored 
    https://bugs.webkit.org/show_bug.cgi?id=106106

Reviewed by Ryosuke Niwa.

Source/WebCore:

Fixes a crash that occurs when a Node is adopted by another document,
in particular one that isn't part of the page, and then deleted,
which wasn't triggering the code that removed the Node from
AXObjectCache. Now, a Node is removed from the AXObjectCache whenever
its Document changes.

Test: accessibility/crash-adopt-node-from-new-document.html

* dom/Node.cpp:
(WebCore::Node::didMoveToNewDocument):

LayoutTests:

Test that demonstrates the crash when a Node with an
AccessibilityObject changes its document and then isn't removed from
the AXObjectCache when it's deleted.

* accessibility/crash-adopt-node-from-new-document-expected.txt: Added.
* accessibility/crash-adopt-node-from-new-document.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139806 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    b6555711